Embodiments of the present invention relate to authorization systems, and more particularly to techniques that enable authorization of requests to access resources to be handled in an efficient manner.
Sensitive information requires careful and effective access control that governs who can access the information. For example, in a large enterprise, information related to the enterprise (e.g., business information) needs to be protected from unauthorized access. In such an enterprise, an authorization system is generally used to regulate access to the enterprise's information. A set of security policies is generally configured for the enterprise and the authorization system uses these configured policies to control access to the information. The set of security policies may, for example, be configured by an enterprise system administrator or a data security administrator.
In an environment where access is controlled by an authorization system, the various entities or objects that can be accessed are usually modeled in the form of resources. For example, in an enterprise environment, resources may include documents storing business information, subparts of a document (e.g., a paragraph within a document), one or more websites (e.g., a business website), one or more web pages stored by the sites, and the like. The authorization system controls access to these resources based upon one or more security policies configured for the environment. In a typical setup, all access or authorization requests to access one or more of the resources are intercepted by the authorization system and have to be authorized by the authorization system before access to the requested resource can be granted. The authorization system performs authorization, which is the process of determining if a user identified in the authorization request has a right to (or is allowed to) access a requested resource. The user is allowed to access the resource only if successfully authorized by the authorization system.
In a typical business or enterprise environment, the number of resources is usually very large. Likewise, the number of security policies for controlling access to these resources is also very large. Further, the number of users wanting to access the resources is also typically very large. As a result, the authorization system generally receives and has to process a large number of resource access requests, which may be received serially or even concurrently. Due to a combination of the very large number of resources, a large number of policies, and a large number of users, the authorization-related processing performed by an authorization system is complicated and requires a lot of computing resources (e.g., processing resources such as CPU usage, memory resources) and consequently is time consuming. For example, for each authorization request, the authorization system has to process all the security policies to determine whether or not a user identified in the access request is allowed to access the requested resource. Existing authorization systems cannot keep up with the growing number of resources, security policies, and users, and are not scalable.